The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.
Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.
Here's what you need to know about updating your current Privacy Policy, having adequate Privacy Notices and getting your users to consent to your Policy terms in accordance with the GDPR.
The GDPR is a new legalframework from the EU that takes effect on May 25, 2018. It's an updated version of the Data Protection Directive.
This law is designed to accomplish two main things:
Regardless of where in the world your business is located, the GDPR applies to any business that does one or both of the following:
This means that a business located in Canada that only collects phone numbers for text message marketing to people in the EU will be required to comply with the GDPR.
While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well.
Each role has specific requirements that you'll also need to be aware of.
For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data.
Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data.
In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.
The GDPR requires that users are provided with thorough information about how their personal data is processed.
According to Article 12 of the GDPR, you need to let people know about how you process personal data in the following ways:
This can be accomplished with a good Privacy Policy and privacy notices.
This article is only going to cover the Privacy Policy, privacy notice and consent aspects of GDPR compliance.
Remember that under the GDPR, you need to communicate your data collection and processing procedures in a way that's concise, transparent, intelligible and in clear and plain language.
The GDPR now requires you to disclose more information in your Privacy Policy. However, it also requires you to do it in a more concise and clear way.
By having an informative, detailed, yet user-friendly Privacy Policy as well as concise summarized Privacy Notices you can effectively satisfy the requirements of the GDPR.
Data protection laws around the world require a Privacy Policy when you collect or use personal information from your users, so chances are you already have this agreement in place on your website.
A Privacy Policy is where you let your users know:
Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.
strong>Update your Privacy Policy to be GDPR-compliant by removing as much legalese as possible and only using clear, simple language that your average reader will be likely to understand.
Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.
Note that each point doesn't have to be a separate clause. As long as the information is somewhere in your Policy, it will work.
The data controller will likely be your business, unless your business operates as a data processor for other companies.
Chances are your Privacy Policy already includes contact information. If not, you need to add this information in right away.
If you have a Data Protection Officer, add in specific contact information for your users to contact this person directly with issues related to privacy.
Your users need to know why you're collecting and using their personal data. Be as specific as possible here when disclosing your practices.
Most of these rights involve things like the right to access data, request changes, deletions and corrections.
For example, if you collect email addresses, give users a chance to see what one/s you have on file, give them a way to delete their email address and allow them to update or change it.
Some businesses choose to make an organized list of each of the rights. Others work each right into a paragraph or several paragraphs. As long as each right is somewhere within your Privacy Policy in an intuitive section, you'll be compliant.
Here's how Twitter discloses some of the user rights in an organized section in its Privacy Policy. Note how three of the rights are covered in one sub-section, while another right is covered in a separate one. There are other rights that are addressed elsewhere in the Privacy Policy, as well:
If you use personal data to make automated decisions - such as for credit scoring, loan screening, profiling users or making employment decisions - you need to disclose this to users.
You can let users know that you don't do this if you want, but it's not required.
If your business transfers personal data to a different country or international organization, you need to let users know this.
Include one of the following as well:
An explanation of the "suitable safeguards" you have in place for the transfer (such as binding corporate rules, contractual provisions, etc.). Let your users know how they can go about requesting a copy of your safeguard information.
Under the GDPR, you need to have a lawful basis for processing any personal data. There are six available lawful bases, and each piece of data you process needs to fall under one of the six categories.
The most common two would be:
Make sure to include information in your Privacy Policy about what legitimate interest you're processing data for.
This requirement will likely be met through a combination of your clauses that cover what personal data you're collecting and how you're using the data.
For example, you may collect phone numbers for communicating with users, use cookies to remember user login information, and collect payment and financial information like credit card numbers for processing payments.
You should always get consent for the data you wish to collect. Not only will that meet the requirement of a legal basis to collect, but it's also a general requirement under the GDPR.
As with all of your website legal agreements, you're going to need to get your users to agree to your Privacy Policy and provide consent for you to collect their personal information.
Now that you have an enhanced Privacy Policy that complies with the GDPR, you're going to have to meet the enhanced consent requirements as well.
Before you collect basic personal information (email addresses, names, financial information, etc.), you'll need to get clear, unambiguous affirmative consent.
Before collecting sensitive personal information (sexual orientation, health data, political/religious views, etc.), you'll need to get explicit consent.
The best way to satisfy this requirement is to always use checkboxes and clickwrap. Make your users click a box next to a statement that says by clicking, the user is agreeing to your Privacy Policy terms. Link to your Privacy Policy here, as well.
There's something else you can do satisfy the enhanced requirements under the GDPR: Provide Privacy Notices.
A Privacy Notice is a simple yet informative notice that lets a user know why you're collecting data. These notices can be added to places on your website or mobile app where you're requesting to collect user data, such as at a field where a user can enter an email address.
For example, uSwitch asks users for an email address and a phone number - both of which are considered to be protected personal information under the GDPR.
Next to the fields where this information is requested, there are small question mark icons that users can click for more information via a Privacy Notice.
When a user clicks on the question mark, he's presented with a short notice that lets users know - in clear, basic language - why that piece of information is being requested. Here, it's so that uSwitch can email a copy of comparison results to the user.
This type of notice is referred to as a just-in-time notice.
These notices don't negate the need for a full, accessible Privacy Policy.
uSwitch still provides a footer link to its Privacy Policy.
The full Privacy Policy includes information about collecting email addresses to provide price comparisons. However, you can see how it's included with a lot of other information and is rather lengthy and dense.
It's easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way.
Consider linking your full Privacy Policy within your Privacy Notice for additional transparency and user-friendly formatting.
Here are a couple of examples of Privacy Policies that would meet GDPR requirements by being user-friendly and informative.
The Mouseflow Privacy Policy starts out as most standard Privacy Policies do, with a clause about what information is collected.
It continues on with a clause that covers how the information is used.
However, you can start to see more transparency than most Privacy Policies when you get to the section about how Mouseflow shares information.
This section is broken down into two types of information that will be shared:
This is important because the GDPR and other privacy laws only apply to personally identifiable information.
Creating this distinction in the Privacy Policy is good for legal compliance as well as clarity for users. While most Privacy Policies currently don't have this distinction, the increase in privacy laws that is a growing trend will likely require this distinction eventually.
The Privacy Policy continues with fairly standard clauses including:
Mouseflow points out specifically for EU clients that it complies with the EU Data Protection Directive requirements.
Another successful Privacy Policy example can be seen with Pipedrive.
Pipedrive is very specific with disclosing how it uses information it collects. This helps satisfy the lawful basis and legitimate interest requirement of the GDPR.
You can see that it includes operations, improvements and communications - all of which are legitimate business purposes.
Pipedrive includes a section about user choices when it comes to user data. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR.
Another important part of the GDPR is that businesses cannot retain data beyond a reasonable time. To address this, Pipedrive's Privacy Policy includes a Data Retention clause that sets forth how long it keeps its collected data.
Also in line with the GDPR, Pipedrive's Privacy Policy includes a clause about Data Controllers and Data Processors, disclosing that it isn't a controller nor a processor of data. It does so in a way that defines to users what a controller and processor would each do, which is helpful.
To summarize: